阅读量:6
使用 `WriteProcessMemory` 进行进程注入是一种常见的非 DLL 注入技术。
以下是一个示例代码,演示了如何使用 `WriteProcessMemory` 注入代码到目标进程:
```cpp
#include#include int main() { // 目标进程名称 const char* targetProcessName = "target.exe"; // 注入的代码 const char* codeToInject = "Your code to inject"; // 获取目标进程 ID DWORD targetProcessId = 0; PROCESSENTRY32 entry; entry.dwSize = sizeof(PROCESSENTRY32); HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); if (Process32First(snapshot, &entry)) { while (Process32Next(snapshot, &entry)) { if (_stricmp(entry.szExeFile, targetProcessName) == 0) { targetProcessId = entry.th32ProcessID; break; } } } CloseHandle(snapshot); // 打开目标进程 HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetProcessId); if (hProcess == NULL) { printf("Failed to open target process.\n"); return 1; } // 在目标进程中分配内存 LPVOID remoteMemory = VirtualAllocEx(hProcess, NULL, strlen(codeToInject), MEM_COMMIT, PAGE_EXECUTE_READWRITE); if (remoteMemory == NULL) { printf("Failed to allocate memory in the target process.\n"); CloseHandle(hProcess); return 1; } // 将代码写入目标进程内存 if (!WriteProcessMemory(hProcess, remoteMemory, codeToInject, strlen(codeToInject), NULL)) { printf("Failed to write code to target process memory.\n"); VirtualFreeEx(hProcess, remoteMemory, 0, MEM_RELEASE); CloseHandle(hProcess); return 1; } // 在目标进程中创建远程线程来执行注入的代码 HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)remoteMemory, NULL, 0, NULL); if (hRemoteThread == NULL) { printf("Failed to create remote thread in the target process.\n"); VirtualFreeEx(hProcess, remoteMemory, 0, MEM_RELEASE); CloseHandle(hProcess); return 1; } printf("Code injected successfully.\n"); // 清理资源 WaitForSingleObject(hRemoteThread, INFINITE); VirtualFreeEx(hProcess, remoteMemory, 0, MEM_RELEASE); CloseHandle(hRemoteThread); CloseHandle(hProcess); return 0; }
在这个示例中,你需要将 `target.exe` 替换为目标进程的名称,并将 `Your code to inject` 替换为要注入的代码。代码通
过以下步骤进行注入:
1. 获取目标进程的 ID。
2. 打开目标进程并分配内存。
3. 使用 `WriteProcessMemory` 将代码写入目标进程内存。
4. 创建一个远程线程来执行注入的代码。
5. 清理资源。
